Understanding IoT Vulnerabilities: Overflow

This type of vulnerability usually affects vulnerabilities in the smart device’s software that allow cybercriminals to cause anomalies in the way that software – or application – operates. Also referred to as “buffer overflow”, attackers spend a lot of time looking at that code within the software of application, trying to find out how to cause erratic application behavior, incorrect results, crashes, or even breach the  system’s security.

Before digging deeper into this issue, it is important to understand how computers allocate memory for various tasks, from doing basic math to receiving information from the outer world. In order to store this information in memory, the operating system allocates a “buffer” – a chunk of memory of specific length.

These buffers are daisy-chained across the computer’s memory space, as multiple applications allocate multiple buffers for their own tasks. If a hacker were able to pass more information that the operating system has allocated a buffer for, the extra data overwrites a neighboring buffer. When the program that owns the neighboring buffer attempts to access it, it would find there different instructions that might hijack what the program was initially instructed to do. The only thing the hacker needs to do is to spot a vulnerability to overwrite that memory space with a maliciously constructed buffer that contains the right instructions in the right place.

Passing malicious buffers can take multiple forms: imagine having a smart device and using the companion mobile application to log into your account in order to send instructions to your IoT. Usually, a user name and password are required for authentication before you can connect to the device. If, for some reason, the form fields where you input your credentials expects a password of a specific length but does not check for boundaries, attackers could use them to send random commands or excessively long strings of characters to the device.

Because the device does not know how to interpret that long sequence of characters, the authentication application may crash or display sensitive information. Sometimes, depending on the size of that sequence of characters represents or its contents, hackers can even breach the device’s security, tricking the application into thinking the login is successful. Malformed requests to the web server APIs can do the same.

Buffer overflow vulnerabilities are serious vulnerabilities in software that can ultimately lead to full smart device compromise. Similar vulnerabilities have been found by Bitdefender researchers in internet-connected smart cameras, which could have potentially enabled attackers to take remote control of hundreds of thousands of device around the world. Finding these special cases of memory corruption usually require extensive coding knowledge, but cybercriminals often find them far more rewarding as they have a huge potential.

Weaponizing these vulnerabilities in a popular and widely deployed smart device, could enable hackers to remotely spy on victims, collect personal information, or even use the controlled devices to perform other types of attacks, such as denial of service.

Since these are programming vulnerabilities, users’ only defense against these types of attacks is to always have the latest security updates and fixes installed. IoT manufacturers should constantly push security updates and fixes to smart devices whenever known vulnerabilities are reported, keeping user devices and data safe from cybercriminals.

It’s also advised to have a home network cybersecurity solution installed, as it can not only notify users if smart devices are vulnerable, but also if security updates are available for installation. More than that, it can perform an overall assessment of the security status of your home network device, while also keeping cybercriminals away.

2 comments

  • By Charlie - Reply

    Wow!!!Read this, talk about cyberchase!!!

  • By John - Reply

    Bitdefender flagged my wifi connection router as medium risk, telus telling me that I cannot change the password, so what can I do to protect my self, I got a message that my computer was hacked, what can I do to protect my self if Bitdefender can’t protect me from malware who can..

  • Add Comment

    Your email address will not be published. Required fields are marked *